This article details how to set up Android applications to support Passkey native logins with Okta.

• Okta Identity Engine (OIE)
• Android
• okta-mobile-kotlin SDK (IDX Authentication)
• Passkeys/WebAuthn

Prerequisite steps:

• Configured Native OIDC application
• Configured Authentication Policies to allow/require Passkeys (FIDO/WebAuthn)

Documentation for prerequisites:

• Android IDX Sample App
• Global / Application sign-on policies

Configure the Android /.well-known/assetlinks.json:

• In Android Studio:
  1. Navigate to Tools > App Links Assistant.
  2. Click Create Applink.
  3. Select Open Digital Asset Links File Generator.
  4. Select Apps module, Site domain (Okta custom domain URL), App ID, and Signing Key.
  5. Select Support sharing credentials between app and website and Sign In URL is the same as site domain.
  6. Select Generate Digital Assets Links File.
  7. Copy the preview value. Then, click Link and Verify.

This may prompt changes in:

• • • AndroidManifest.xml

      <meta-data
        android:name="asset_statements"
        android:resource="@string/asset_statements" />

• • • Strings.xml

      <string name="asset_statements" translatable="false">[{ \"include\": \"https://{$site_domain}/.well-known/assetlinks.json\" }]</string>

• In Okta:
  1. Navigate to Customizations > Brands > ${Brand_id} > Domains.
  2. Under Well-known URIs, click Configure for assetlinks.json.
  3. Paste the Asset Link value generated in Studio and save.
  4. Verify by navigating to https://${custom_domain}/.well-known/assetlinks.json

Potential Issues

If there is not an option to configure assetlinks under Customizations > Brands > ${Brand_id} > Domains, or During Enrollment/Authentication, and the following error is returned, verify that Android Native App Passkey Support is enabled by navigating to Settings > Features.

Origin parameter in client data doesn't match. clientData origin was android:apk-key-hash:...',